On Thu, 17 Apr 2008 22:53:04 -0400
Etan Reisner <deryni at pidgin.im> wrote:
> > NOTE. This also copies a couple of files named otr.private_key and otr.fingerprints (which resided in the .purple folder) onto the memory stick. (Does this constitute a security risk? --- as the folders on the stick are not protected by any sort of user security.)
>> I don't know enough about the OTR plugin to comment on this, you would
> likely be better off attempting to find the OTR people and asking them
> directly (I don't know who they are offhand).
While having these keys could allow someone else to pretend to be their
owner, it can't compromise previously held conversations as these are
not the session keys but those used to encrypt the key transactions
during conversation startup, that's a Diffie-Hellmann exchange and so
far shows no sign of being breakable especially after the event.
Their security is probably better if on a USB stick in your pocket than
on a drive on an easily accessible machine, but of course require
careful treatment and management.
--
Brian Morrison
"Arguing with an engineer is like wrestling with a pig in the mud;
after a while you realize you are muddy and the pig is enjoying it."